VMware Horizon Application Manager - 1.5 Installation Manual
Installing Application Manager
Application Manager 1.5
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000856-00
Installing Application Manager
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
Installing and Configuring Application Manager 5
1
Application Manager Deployment Checklists 9
Introduction to Application Manager 11
2
Security Considerations and System Requirements for Application Manager 19
3
Application Manager Recommendations and Requirements 19
Preparing to Install Application Manager 23
4
Prepare to Install Application Manager 23
Convert the Virtual Appliance File Format 24
Installing Application Manager 27
5
Start the Application Manager Virtual Appliance 27
Use the Virtual Appliance Interface for the Initial Application Manager Configuration 28
Configuring Application Manager with the Operator Setup Wizard 33
6
Access the Application Manager Operator Web Interface 33
Making Additional Application Manager Configurations 35
7
Configure Application Manager for Logging 35
Configuring SSL Connectivity to Application Manager 36
Configuring Clustering for Application Manager 41
Update Application Manager 44
Troubleshooting Application Manager 47
8
Potential Network Time Protocol Issue 47
Missing the Application Manager Operator Web Interface Password 48
Connector Issue Prevents Administrator Access to Application Manager 49
Using a Static IP Address for Application Manager with vCenter Server Can Result in an Access
Issue 50
Index 51
VMware, Inc. 3
Installing Application Manager
4 VMware, Inc.
Installing and Configuring Application
Manager 1
This information describes how to install Application Manager, the on-premise appliance as opposed to the
hosted version of Application Manager. When you host Application Manager, you control the operator and
administrator pages that allow you to manage end-user access to your Windows, SaaS, and Web applications.
The Connector is a required software piece that you must install separately.
Intended Audience
This information is intended for organization administrators. The information is written for experienced
Windows and Linux system administrators who are familiar with VMware virtual machine technology,
identity management, entitlement, and directory services. SUSE Linux is the underlying operating system of
the Application Manager virtual appliance. Knowledge of Linux is essential to configure the Application
Manager directly and to perform system-level functions, such as configuring network settings, time settings,
and log files. Knowledge of other technologies, such as VMware ThinApp and RSA SecurID, is helpful if you
plan to implement those features.
Application Manager Installation Overview
This process involves a variety of tasks and you can deploy the Application Manager in several different ways.
A key distinction in deployments is in the mode of authentication you choose. See Chapter 2, “Introduction to
Application Manager,” on page 11. An important deployment factor depends on if you choose to provide
Application Manager users with access to Windows applications captured as ThinApp packages. See Installing
and Configuring the Connector for more information.
Installation and Configuration Flow of an Application Manager
Deployment
Figure 1-1 provides a broad overview of the installation and configuration tasks involved in an on-premise
Application Manager deployment. The summary that follows reiterates the main steps.
VMware, Inc.
5
• Create DNS records for the Service and the Connector
• Ensure the hardware, software, and network requirements
are met
• Prepare the optional features that apply. For example,
create the ThinApp repository for ThinApp integration
and configure KDC for Kerberos authentication
• Prepare ESXi for the mode of authentication suitable for
your enterprise: Service Authentication mode, Connector
Authentication mode, or both
Obtain the virtual
appliances
End
Install and
Configure the
Service virtual
appliance
Install and
configure the
Connector
Return to the
Service as an
operator
Configure the
Service as an
administrator
Configure
logging
Provide users with
URLs to access
applications
Obtain the Service and Connector
virtual appliances
Provide network information, including:
• IP/subnet/gateway info
• DNS servers
• Hostname
• A Network Time Protocol server
• Time zone
• SSL connectivity to the Service*
• Use a browser to login to the Operator
Web interface
• Run the setup wizard
• Copy and save the URL for the Service
and the activation code for the Connector
In the Web interface, you can enable
SSL for end user authentication*
Configure the
Service as
an Operator
Configure the Connector using the virtual appliance interface
and the applicable wizards of the Web interface. If you are
providing users with access to Windows Applications captured
as ThinApp packages, configure the Windows Apps page
Create delegated operators, add
applications, etc
Using a browser, return to the Service for further
configuration. For example, you can configure
IdP Discovery, add applications, create groups,
set entitlements, and define roles for delegated
administration
Return to the virtual appliances of
both the Service and Connector to
configure logging
Distribute URLs to users to provide access
to the User Portal and directly to individual
applications
*NOTE: SSL connectivity to the Service and the Connector is disabled by default to simplify the configuration of your
Application Manger deployment during the proof-of-concept phase. You can enable SSL later when you are prepared
to put Application Manager into production. Verify that the state of SSL, enabled or disabled, always matches between
the Connector and the Service.
After you enable SSL for your Application Manager deployment, perform the following tasks that apply:
• If you are providing users with access to Windows Applications captured as ThinApp packages, reinstall
the Horizon Agent on each user’s system to update the Service URL from HTTP to HTTPS.
• Update each SAML application that you previously configured without SSL to now use SSL. Therefore,
ensure that each SAML application now reaches Application Manager using HTTPS instead of HTTP.
This might involve working with account administrators for specific applications.
Prepare your
environment
Installing Application Manager
Figure 1-1. Application Manager Installation and Configuration Flowchart
1 Prepare your environment:
6 VMware, Inc.
Chapter 1 Installing and Configuring Application Manager
n
Create DNS records for Application Manager and the Connector.
n
Ensure hardware and software requirements are met.
n
Prepare the optional features that apply. For example, create the ThinApp repository for ThinApp
integration and configure KDC for Kerberos authentication.
n
Prepare vSphere for Connector Authentication mode.
2 Obtain virtual appliances:
n
Obtain the Application Manager and Connector virtual appliances.
3 Install and configure the Application Manager virtual appliance:
n
Provide network information, including:
n
IP/subnet/gateway info
n
DNS servers
n
Hostname
n
A Network Time Protocol server
n
Time zone
n
SSL connectivity to Application Manager
4 Configure Application Manager as an operator:
n
Use a browser to log in to the Operator Web interface.
n
Run the setup wizard to create your first organization.
n
Copy and save the URL for Application Manager and the activation code for the Connector.
5 Install and configure the Connector:
n
Configure the Connector using the virtual appliance interface and the applicable wizards of the Web
interface. If you are providing users with access to Windows Applications captured as ThinApp
packages, configure Windows Apps in the Connector setup wizard. You can also perform additional
configuration such as setting up RSA SecurID.
n
In the Web interface, you can enable SSL for end user authentication.
6 Return to Application Manager as an operator of your first organization:
n
Create delegated operators, add applications, additional organizations, etc.
7 Configure Application Manager as an administrator:
n
Using a browser, return to Application Manager for further configuration. For example, you can add
ThinApp packages, configure IdP Discovery for ThinApp integration, add applications, create
groups, set entitlements, and define roles for delegated administration.
8 Configure logging:
n
Configure logging for Application Manager. Return to the Connector virtual appliance interface to
configure logging for the Connector.
9 Provide users with URLs to access applications:
n
Distribute URLs to users to provide access to the User Web interface and directly to individual
applications
Trial, Test, and Production Deployment Phases
To reduce the complexity of the deployment process, you might want to deploy Application Manager in phases.
VMware, Inc. 7
Installing Application Manager
SSL connectivity, load balancing, and high availability add layers of complexity to your deployment that can
be avoided during the proof-of-concept phase.
By default, secure ports are disabled for the Connector and Application Manager. For the proof-of-concept
phase, you can install the Connector and Application Manager using the default insecure ports. This frees you
during this phase from managing SSL certificates.
Also, by default, Application Manager uses an internal database server. To support load balancing or high
availability you must install and configure a supported external database server and point multiple Application
Manager instances to that external database server. For the proof-of-concept phase, you can use the default
internal database server. This frees you from installing an external database server and configuring clustering.
Table 1-1. Recommended Phases of Deployment
Phase Recommended Actions
Trial (Proof-ofConcept)
Test (PreProduction)
Production
n
SSL Connectivity (Do not configure)
n
For Application Manager, keep the insecure ports enabled and the secure ports disabled.
These settings are accessible with the Application Manager virtual appliance interface, on
the Configure Web Server screen.
n
For the Connector, accept the default insecure mode. This setting is accessible with the
Connector virtual appliance interface, on the Configure Web Server screen.
NOTE You can test ThinApp integration in Insecure mode.
n
Load Balancing and High Availability (Do not configure)
n
For Application Manager, keep the internal database server configuration. This setting is
accessible with the Application Manager virtual appliance interface, on the Configure
Database Connection screen.
n
SSL Connectivity
n
For Application Manager, disable the insecure ports and enable the secure ports.
n
For the Connector, enable secure mode, which requires you to reset and reconfigure the
Connector.
n
Generate both an Application Manager SSL certificate and a Connector SSL certificate.
n
If you are using self-signed SSL certificates, deploy the certificates to user machines. In
addition, distribute the Application Manager certificate to each Connector instance.
n
Reconfigure SAML applications to use HTTPS instead of HTTP.
n
Reinstall the Horizon Agent on user machines to use HTTPS instead of HTTP.
n
Load Balancing and High Availability
n
For Application Manager, install a supported external database server and point multiple
Application Manager instances to that external database server.
n
SSL Connectivity
n
Replace your self-signed SSL certificates with signed third-party CA certificates.
n
For Application Manager, verify that insecure ports are disabled and secure ports are
enabled.
n
For the Connector, verify that secure mode is enabled.
n
Verify that SAML applications are configured for HTTPS.
n
Verify that the Horizon Agent has been reinstalled on user machines to use HTTPS.
n
Load Balancing and High Availability
n
For Application Manager, install a supported external database server and point multiple
Application Manager instances to that external database server.
8 VMware, Inc.
Application Manager Deployment Checklists
You can use the Application Manager Deployment Checklist to gather the necessary information to install
Application Manager on premise.
Network Information for Application Manager
Table 1-2. Application Manager Network Checklist
Information to Gather List the Information
IP Address
Subnet Mask
Gateway
DNS Server
Network Information for the Connector
Table 1-3. Connector Network Checklist
Information to Gather List the Information
Chapter 1 Installing and Configuring Application Manager
IP Address
Subnet Mask
Gateway
DNS Server
DNS Record for Application Manager
Table 1-4. Application Manager DNS Checklist
Information to Gather List the Information
Application Manager Host
(MyHost.MyDomain.com)
The best practice is to use the same name
for MyHost that you plan to use for your
first organization.
First Organization
(MyOrg.MyDomain.com)
When you configure Application
Manager, organizations are created
within logical/functional containers for
users and applications.
DNS Record for the Connector
Table 1-5. Connector DNS Checklist
Information to Gather List the Information
Connector Host
VMware, Inc. 9
Installing Application Manager
Active Directory Domain Controller
Table 1-6. Active Directory Domain Controller Checklist
Information to Gather List the Information
Active Directory IP Address
Active Directory FQDN
10 VMware, Inc.
Introduction to Application Manager 2
Application Manager is an identity and access management service or virtual appliance that unifies your
software as a service (SaaS) applications and Windows applications (captured as ThinApp packages) into a
single catalog for entitlement.
Table 2-1. Application Manager Component Terminology
Application Manager Component Other Terms Used Description
Application Manager deployment
Application Manager
n
Application Manager
n
Application Manager Appliance
Application Manager virtual appliance
interface
Application Manager Operator Web
interface
n
None The entire Application Manager
deployment, including Application
Manager, the Connector, the related
interfaces to access those components,
and all other components necessary to
enable users to access applications.
None
n
hosted service
n
on-premise appliance
n
virtual appliance interface The interface of the Application
n
Operator Web interface The browser-based interface of the on-
Two versions of Application Manager
exist: the hosted service and the onpremise virtual appliance. As a
generalization, both versions are
referred to as the service. If you have the
hosted service, it is maintained for you.
If you have the on-premise appliance,
you install and maintain it yourself.
Application Manager stores
entitlement, SaaS, policy, and ThinApp
package information and
communicates with your Connector
instances to access Active Directory
information.
Manager virtual appliance. You use this
interface to perform the initial
configuration of Application Manager
on premise. You also use this interface
to access the command-line interface of
the underlying Linux operating system.
premise version of Application
Manager that individuals with operator
privileges access to manage
organizations and the Operator
application catalog. Application
Manager provides multi-tenancy. This
interface provides an overview of all the
organizations managed by Application
Manager.
VMware, Inc. 11
Installing Application Manager
Table 2-1. Application Manager Component Terminology (Continued)
Application Manager Component Other Terms Used Description
Application Manager Administrator
Web interface
Application Manager User Web
interface
Application Manager internal database
server
Application Manager Operator
application catalog
Application Manager Administrator
application catalog
n
Administrator source application
catalog
n
Administrator active application
catalog
Application Manager User application
catalog
Connector
Connector virtual appliance interface
n
Administrator Web interface The browser-based interface of
Application Manager that you, as an
administrator of a specific organization,
use to manage user access and
entitlements to SaaS and ThinApppackaged applications. This interface
provides an overview of a single
organization.
n
Workspace
n
User Web interface
The browser-based interface of
Application Manager that users access
to use SaaS or ThinApp-packaged
applications. This interface includes the
User Portal, which provides users easy
access to applications.
n
internal database server The default database server, vPostgres
9.1, that ships with the on-premise
version of Application Manager. You
can use this internal database server
during the proof-of-concept phase of
deployment. For production, you
should disable the internal database
server and use a supported external
database server, such as PostgreSQL 9.1.
n
Operator application catalog
n
Operator catalog
The master catalog of applications,
which is accessible using the operator
Web interface. Operators can create
application in this catalog. Operators
can assign applications to all
organizations in the system or only to
specific organizations.
n
Administrator application catalog
n
Administrator catalog
A catalog of applications accessible
using the Administrator Web interface.
You, as an organization administrator,
manage the applications assigned to
you by operators. To make applications
available to users, you must move them
from the Administrator source
application catalog to the Administrator
active application catalog.
n
User application catalog
n
User catalog
A catalog of applications accessible
using the User Web interface. Users
access and use the applications assigned
to them by you as an organization
administrator.
n
Connector Appliance
n
Connector instance
The virtual appliance you install in your
enterprise network to connect
Application Manager to Active
Directory and to the ThinApp package
repository.
n
None The interface of the Connector virtual
appliance. You use this interface to
make the initial configurations of the
Connector. You also use this interface to
access the command-line interface of the
underlying Linux operating system.
12 VMware, Inc.
Chapter 2 Introduction to Application Manager
Table 2-1. Application Manager Component Terminology (Continued)
Application Manager Component Other Terms Used Description
Connector Web interface
ThinApp Repository
Horizon Agent
n
None The browser-based interface you use to
n
Windows applications network
share
n
Agent A ThinApp-specific component
configure and manage the Connector
after using the Connector virtual
appliance to make the initial Connector
configurations.
A shared folder that you create to store
Windows applications captured as
ThinApp packages. You then provide
users access to these applications.
installed on user's Windows systems
that allows users to access Windows
applications captured as ThinApp
packages.
Flow of Applications Through the Various Application Manager
Catalogs
Applications move through a hierarchy of Application Manager catalogs before appearing in a user’s User
Portal, where the user can launch them.
1 The Application Manager Appliance ships with a set of default applications available in the Operator
application catalog. Operators then customize the Operator application catalog by adding and deleting
applications. They can make specific applications available to each organization, which places the
application in organizations’ Administrator source application catalog. Operators can make applications
public (available to all organizations) or private (available to only specified organizations).
2 When organization administrators initially access their organization’s catalog, they access the
Administrator source application catalog, which was prepopulated by the operator. Administrators can
add applications not provided by operators. Next, administrators move the applications from the
Administrator source application catalog to the Administrator active application catalog. By adding group
and individual user entitlements, administrators entitle specific applications to specific users.
Administrators can entitle applications as automatic or self-activated.
3 When users access the Application Manager User Web interface, their Workspace, they see the User Portal
and an Application Catalog link. The application catalog lists all applications to which users are entitled.
Unless the administrator made an application automatically available, users must activate each
application in the User application catalog that they want to use. Activating an application moves it to the
User Portal where the user can launch it.
VMware, Inc. 13
Next, the administrator entitles
users and groups to
specific applications.
The administrator can entitle
applications as either automatic
or self-activated.
Application Manager Operator
application catalog
Operator
OperatorApp1 OperatorApp4 OperatprApp8
OperatorApp11 OperatorApp12
Administrator
of Example
Organization
Application Manager
Administrator application catalog
OperatorApp1
OperatorApp4
OperatorApp11
OperatorApp12
OrgApp1
OperatorApp1
OperatorApp12
OrgApp1
Users
User 1
Application Manager
User application
catalog
OperatorApp1
OperatorApp12
User 2
Application Manager
User application
catalog
OperatorApp12
User 3
Application Manager
User application
catalog
OperatorApp1
OperatorApp12
OrgApp1
Dynamic List:The catalogs are dynamic.
Applications can be added and deleted.
For this example, Application
Manager ships with ten
applications (OperatorApp1–
OperatorApp10). The operator
deletes seven applications and
adds two others (OperatorApp11
and OperatorApp12).
The operator assigns applications
to each organization. For example,
the operator assigns OperatorApp1,
OperatorApp4, OperatorApp11, and
OperatorApp12 to Example
Organization, where they populate
the Administrator source application
catalog.
For this example, the administrator
of Example Organization adds
OrgApp1 to the source catalog.
Next, the administrator moves
OperatorApp1, OperatorApp12,
and OrgApp1 to the active catalog,
keeping OperatorApp4 and
OperatorApp11 inactive.
Users launch applications from the User Portal, not the User catalog.
Depending on how the administrator assigned applications, users
might be able to access all of their entitled applications immediately
in the User Portal. If not, they must go to the User catalog to activate
an application. Users cannot add applications to the catalog.
Administrator source
application catalog
Administrator active
application catalog
Installing Application Manager
Figure 2-1. Application Manager Application Catalogs
Application Manager Authentication Modes
Application Manager facilitates username and password validation by using your Active Directory server on
site. You install the Connector as a virtual appliance that communicates with your local directory using LDAP.
You can use LDAP over SSL.
The Connector can operate in two different modes: Connector Authentication mode or Service Authentication
mode. You can also combine both modes in one deployment. However, the Application Manager Appliance
only supports Connector authentication mode. Service Authentication mode is supported for the Application
Manager hosted service. The modes of authentication indicate the flow of user authentication to access
Application Manager.
In Connector Authentication mode, once users are logged in to the internal network, they are usually not
prompted for their credentials when attempting to access the Application Manager. In specific situations where
users are prompted for their credentials to access Application Manager, the Connector presents the login page.
14 VMware, Inc.
Application Manager User Authentication
Connector Authentication mode refers to access to Application Manager where the Connector is the starting
point for user authentication.
Table 2-2. Providing User Access to Application Manager in Connector Authentication Mode
User Access From Inside the Enterprise Network User Access From Outside the Enterprise Network
n
Configure Kerberos authentication or
username/password authentication.
If you decide to enable Internet access to Application Manager and the Connector to provide users outside the
enterprise network access to Application Manager, configure them in one of the following ways:
n
Install Application Manager and the Connector inside the DMZ.
n
n
Chapter 2 Introduction to Application Manager
Install both the Application Manager and Connector
virtual appliances in a manner that provides Internet
access. Kerberos authentication is not available outside
the network. Therefore, the best practice is to use RSA
SecurID authentication, though username/password
authentication is available as well.
You can install the Connector and Application Manager
virtual appliances without Internet access. However, to
provide user access from outside the enterprise network,
users will need a VPN connection.
n
Install a reverse proxy server in the DMZ pointing to Application Manager and the Connector installed
behind the firewall.
n
Configure firewall port forwarding or router port forwarding to point to Application Manager and the
Connector installed behind the firewall.
For Connector Authentication mode, if you do not configure IdP discovery, you must provide users access to
specific URLs that direct the authentication flow through the Connector. These URLs contain the appropriate
information to direct users through the Connector directly to Application Manager. You must provide users
access to such URLs.
IMPORTANT Configuring IdP discovery eliminates the need to use the long URLs provided in the following
table. See “IdP Discovery,” on page 17.
Table 2-3. Connector Authentication Mode: URL Examples
Target URL Example Information
https://
MyOrg.MyDomain.com/SAAS/API/1.0/GET/federatio
n/request?i=IDP#&s=0
The Application Manager
User Web Interface
https://ConnectorHost.MyDomain/login/ Use this URL for testing and
When your deployment is
production ready, provide this URL
to users to give them access to the
User Web interface. Replace MyOrg
and MyDomain with the appropriate
values and replace IDP# with the IdP
ID available on the Connector
Internal Access page.
troubleshooting purposes if Kerberos
is not configured. Replace
ConnectorHostConnectorHost and
MyDomain with the appropriate
values.
VMware, Inc. 15
Installing Application Manager
Table 2-3. Connector Authentication Mode: URL Examples (Continued)
Target URL Example Information
https://ConnectorHost.MyDomain/authenticate/ Use this URL for troubleshooting and
Specific Applications https://
MyOrg.MyDomain.com/SAAS/API/1.0/GET/federatio
n/request?i=IDP#&s=SP#
testing purposes if Kerberos is
configured. Replace ConnectorHost
and
MyDomain with the appropriate
values.
When your deployment is
production ready, provide this URL
to users to give them one-click access
to a specific application. Replace the
placeholders. For example, replace
SP# with the ID number for a specific
application. The application ID
numbers are available from the
Application Manager User
application catalog.
For deployments where Kerberos is configured, the Connector validates user desktop credentials using
Kerberos tickets distributed by the key distribution center (KDC).
In Connector Authentication mode, the Connector acts as a federation server within your network, creating
an in-network federation authority that communicates with Application Manager using SAML 2.0 assertions.
The Connector authenticates the user with Active Directory within the enterprise network (using existing
network security).
A troubleshooting-related aspect of Connector Authentication mode is that users can still be authenticated
even when Kerberos fails. In fact, users can still be authenticated when Kerberos is not configured. In such
cases, an Application Manager redirect takes place causing the Connector to present users with a login page.
This Connector-supplied login page prompts users to provide their usernames and passwords again for access
to Application Manager. The Connector then validates users against Active Directory.
Connector Authentication Mode and RSA SecurID
After you install the Connector in Connector Authentication mode, you can configure SecurID to provide
additional security. For an overview of using RSA SecurID with the Connector, see Installing and Configuring
the Connector.
You can configure SecurID with or without Kerberos. However, the most common use case is to use SecurID
to authenticate users outside the enterprise network, while Kerberos authentication is not available outside
the network. See “IdP Discovery,” on page 17 for more information about configuring two Connector
instances, one instance for users inside the enterprise network and the other for users outside the network.
RSA SecurID with Result
Kerberos configured Kerberos authentication takes precedence. Users are only prompted for their
SecurID passcode if Kerberos authentication fails.
username-password verification as
part of Connector Authentication
mode
For various reasons, both intentional and unintentional, Kerberos authentication might not function. For
example, you might intentionally prevent specific users from accessing the enterprise network. Also, nonWindows machines do not support Kerberos authentication. When Kerberos and SecurID are both configured,
but Kerberos authentication fails, users are prompted for their SecurID passcode.
SecurID takes precedence and username password verification is disabled. Users
are prompted for their SecurID passcode. They are never prompted for their Active
Directory credentials.
16 VMware, Inc.
Loading...